Now, what if you want to discard the values for “ Employee_Name” for “ employee_info_sub” from the result set i.e. You can also know about : USAGE OF SPLUNK COMMANDS: DELETE If you will compare the above image with the image: 1 and image: 2, you can easily understand, we successfully searched for the values of “ Employee_Name” field of “ employee_info_sub” index in “ employee_info_main” index. “ employee_info_main”, in square brackets as a subsearch, we have mentioned the query from “ employee_info_sub” index. “ employee_info_sub” inside the 1st index i.e. Then, we have used the “ search” command because the result from sub search we want to search from the result set of the primary query.Īs, we wanted to search for the values of “ Employee Name” of the 2nd index i.e. Here, our primary search is, index=employee_info_main | table Employee_Name | dedup Employee_NameĪnd here, our subsearch is, Īs, you can see in the primary query, first we have retrieved the unique values for “ Employee_Name” field in tabular format from index “ employee_info_main” using “ table” and “ dedup” command. So, let’s see,Įxample: 1 index=employee_info_main | table Employee_Name | dedup Employee_Name | search “ employee_info_main”, you can use subsearch to do that. “employee_info_sub” inside the 1st index i.e. Now, if you want to search for the values of “ Employee Name” field of the 2nd index i.e. Now, as you can see the field “ Employee_Name” contains names of 3 employees. index=employee_info_sub | table Employee_Name | dedup Employee_Name Please, see the below query to see the data for index “ employee_info_sub”, which we will use as the “ subsearch”. Now, as you can see the field “ Employee_Name” contains names of 5 employees. index=employee_info_main | table Employee_Name | dedup Employee_Name Please, see the below query to see the data for index “ employee_info_main” which we will use as “Primary Search”. “ Employee_Name”, which contains the names of some employees. Here, we will use two indexes, 1) employee_info_main 2) employee_info_subĪnd from these two indexes, we are going to take a common field i.e. 1) A subsearch is a search that is used to reduce the set of events from your result set.Ģ) The result of the subsearch is used as an argument to the primary or outer search.ģ) Subsearches must be enclosed in square brackets and must start with a Generating command (eg: search, makeresults etc.).If you want to know more about generating commands, click here.įirst, let me show you the data we are going to use to show you the usage of “ subsearches”. In this example duplicates must have the same combination of values the source and host fields. Remove only consecutive duplicate events. Keep results that have the same combination of values in multiple fieldsįor search results that have the same combination of source AND host values, keep the first 2 that occur and remove all subsequent results. Remove duplicate search results with the same host value and sort the events by the _size field in descending order. Sort events after removing duplicate values | from main order by ASC _time | dedup source 4. Remove duplicate results with the same source value. Sorting the events ensures that the oldest events are listed first. Use the order by clause in the from command to sort the events by time in ascending order, the default order. Sort events in ascending order before removing duplicate values Keep the first 3 duplicate resultsįor search results that have the same source value, keep the first 3 that occur and remove all subsequent results. Remove duplicate search results with the same host value. Remove duplicate results based on one field To learn more about the dedup command, see How the dedup command works.ġ. The following are examples for using the SPL2 dedup command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |